Recovering infected snapshots in a snapshot chain

ABSTRACT

Subject matter related to data management is disclosed. A most recent snapshot in a snapshot chain that is not infected by malware may be identified based on mounting snapshots in the snapshot chain and determining whether the snapshots are infected. A selection of an infected snapshot may be received, where the infected snapshot may be more recent than the identified most recent snapshot. The selected infected snapshot may be mounted. Based on mounting the infected snapshot, a determination of which content in the selected snapshot are not infected may be made. Based on determining which content in the selected snapshot is not infected, at least one of the non-infected content may be recovered.

CROSS REFERENCE

The Present Application for Patent claims the benefit of U.S.Provisional Application No. 63/421,536 by Chandra et al., entitled “BULKSNAPSHOT RECOVERY” and filed Nov. 1, 2022; U.S. Provisional ApplicationNo. 63/319,953 by Chandra et al., entitled “QUARANTINING INFORMATION INBACKUP LOCATIONS” and filed Mar. 15, 2022; and U.S. ProvisionalApplication No. 63/276,822 by Gee et al., entitled “MALWARE DETECTION INSNAPSHOTS” and filed Nov. 8, 2021, each of which is assigned to theassignee hereof and expressly incorporated by reference herein.

TECHNICAL FIELD

The present disclosure relates generally to data management includingtechniques for recovering infected snapshots in a snapshot chain.

BACKGROUND

The volume and complexity of data that is collected, analyzed, andstored is increasing rapidly over time. The computer infrastructure usedto handle this data is also becoming more complex, with more processingpower and more portability. As a result, data management and storage isbecoming increasingly important. Significant issues of these processesinclude access to reliable data backup and storage, and fast datarecovery in cases of failure. Other aspects include data portabilityacross locations and platforms.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts one embodiment of a networked computing environment inwhich the disclosed technology may be practiced, according to an exampleembodiment.

FIG. 2 depicts one embodiment of the server of FIG. 1 , according to anexample embodiment.

FIG. 3 depicts one embodiment of the storage appliance of FIG. 1 ,according to an example embodiment.

FIG. 4 shows an example cluster of a distributed decentralized database,according to some example embodiments.

FIG. 5 depicts a block diagram of a malware engine according to anexample embodiment.

FIG. 6 depicts a flowchart illustrating a method of scanning a snapshotfor malware according to an example embodiment.

FIG. 7 depicts an example interface according to an example embodiment.

FIG. 8 depicts a flowchart illustrating a method of recovering anon-infected file in an infected snapshot according to an exampleembodiment.

FIG. 9 depicts a flowchart illustrating a method of recovering aninfected snapshot according to an example embodiment.

FIG. 10 depicts a flowchart illustrating a method of recoveringnon-infected content within an infected snapshot according to an exampleembodiment.

DETAILED DESCRIPTION

The description that follows includes systems, methods, techniques,instruction sequences, and computing machine program products thatembody illustrative embodiments of the present disclosure. In thefollowing description, for purposes of explanation, numerous specificdetails are set forth in order to provide a thorough understanding ofexample embodiments. It will be evident, however, to one skilled in theart that the present inventive subject matter may be practiced withoutthese specific details.

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent files or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings that form a part of thisdocument: Copyright Rubrik, Inc., 2018-2021, All Rights Reserved.

It will be appreciated that some of the examples disclosed herein aredescribed in the context of virtual machines that are backed up by usingbase and incremental snapshots, for example. This should not necessarilybe regarded as limiting of the disclosures. The disclosures, systems andmethods described herein apply not only to virtual machines of all typesthat run a file system (for example), but also to NAS devices, physicalmachines (for example Linux servers), and databases.

FIG. 1 depicts one embodiment of a networked computing environment 100in which the disclosed technology may be practiced. As depicted, thenetworked computing environment 100 includes a data center 106, astorage appliance 102, and a computing device 108 in communication witheach other via one or more networks 128. The networked computingenvironment 100 may also include a plurality of computing devicesinterconnected through one or more networks 128. The one or morenetworks 128 may allow computing devices and/or storage devices toconnect to and communicate with other computing devices and/or otherstorage devices. In some cases, the networked computing environment 100may include other computing devices and/or other storage devices notshown. The other computing devices may include, for example, a mobilecomputing device, a non-mobile computing device, a server, awork-station, a laptop computer, a tablet computer, a desktop computer,or an information processing system. The other storage devices mayinclude, for example, a storage area network storage device, anetworked-attached storage device, a hard disk drive, a solid-statedrive, or a data storage system.

The data center 106 may include one or more servers, such as server 200,in communication with one or more storage devices, such as storagedevice 104. The one or more servers may also be in communication withone or more storage appliances, such as storage appliance 102. Theserver 200, storage device 104, and storage appliance 300 may be incommunication with each other via a networking fabric connecting serversand data storage units within the data center 106 to each other. Thestorage appliance 300 may include a data management system for backingup virtual machines and/or files within a virtualized infrastructure.The server 200 may be used to create and manage one or more virtualmachines associated with a virtualized infrastructure.

The one or more virtual machines may run various applications, such as adatabase application or a web server. The storage device 104 may includeone or more hardware storage devices for storing data, such as a harddisk drive (HDD), a magnetic tape drive, a solid-state drive (SSD), astorage area network (SAN) storage device, or a Networked-AttachedStorage (NAS) device. In some cases, a data center, such as data center106, may include thousands of servers and/or data storage devices incommunication with each other. The one or more data storage devices 104may comprise a tiered data storage infrastructure (or a portion of atiered data storage infrastructure). The tiered data storageinfrastructure may allow for the movement of data across different tiersof a data storage infrastructure between higher-cost, higher-performancestorage devices (e.g., solid-state drives and hard disk drives) andrelatively lower-cost, lower-performance storage devices (e.g., magnetictape drives).

The one or more networks 128 may include a secure network such as anenterprise private network, an unsecure network such as a wireless opennetwork, a local area network (LAN), a wide area network (WAN), and theInternet. The one or more networks 128 may include a cellular network, amobile network, a wireless network, or a wired network. Each network ofthe one or more networks 128 may include hubs, bridges, routers,switches, and wired transmission media such as a direct-wiredconnection. The one or more networks 128 may include an extranet orother private network for securely sharing information or providingcontrolled access to applications or files.

A server, such as server 200, may allow a client to download informationor files (e.g., executable, text, application, audio, image, or videofiles) from the server 200 or to perform a search query related toparticular information stored on the server 200. In some cases, a servermay act as an application server or a file server. In general, server200 may refer to a hardware device that acts as the host in aclient-server relationship or a software process that shares a resourcewith or performs work for one or more clients.

One embodiment of server 200 includes a network interface 110, processor112, memory 114, disk 116, and virtualization manager 118 all incommunication with each other. Network interface 110 allows server 200to connect to one or more networks 128. Network interface 110 mayinclude a wireless network interface and/or a wired network interface.Processor 112 allows server 200 to execute computer-readableinstructions stored in memory 114 in order to perform processesdescribed herein. Processor 112 may include one or more processingunits, such as one or more CPUs and/or one or more GPUs. Memory 114 maycomprise one or more types of memory (e.g., RAM, SRAM, DRAM, ROM,EEPROM, Flash, etc.). Disk 116 may include a hard disk drive and/or asolid-state drive. Memory 114 and disk 116 may comprise hardware storagedevices.

The virtualization manager 118 may manage a virtualized infrastructureand perform management operations associated with the virtualizedinfrastructure. The virtualization manager 118 may manage theprovisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. In one example, the virtualizationmanager 118 may set a virtual machine having a virtual disk into afrozen state in response to a snapshot request made via an applicationprogramming interface (API) by a storage appliance, such as storageappliance 300. Setting the virtual machine into a frozen state may allowa point in time snapshot of the virtual machine to be stored ortransferred. In one example, updates made to a virtual machine that hasbeen set into a frozen state may be written to a separate file (e.g., anupdate file) while the virtual disk may be set into a read-only state toprevent modifications to the virtual disk file while the virtual machineis in the frozen state.

The virtualization manager 118 may then transfer data associated withthe virtual machine (e.g., an image of the virtual machine or a portionof the image of the virtual disk file associated with the state of thevirtual disk at the point in time it is frozen) to a storage appliance(for example, a storage appliance 102 or storage appliance 300 of FIG. 1, described further below) in response to a request made by the storageappliance. After the data associated with the point in time snapshot ofthe virtual machine has been transferred to the storage appliance 300(for example), the virtual machine may be released from the frozen state(i.e., unfrozen) and the updates made to the virtual machine and storedin the separate file may be merged into the virtual disk file. Thevirtualization manager 118 may perform various virtual machine-relatedtasks, such as cloning virtual machines, creating new virtual machines,monitoring the state of virtual machines, moving virtual machinesbetween physical hosts for load balancing purposes, and facilitatingbackups of virtual machines.

One embodiment of a storage appliance 300 (or storage appliance 102)includes a network interface 120, processor 122, memory 124, and disk126 all in communication with each other. Network interface 120 allowsstorage appliance 300 to connect to one or more networks 128. Networkinterface 120 may include a wireless network interface and/or a wirednetwork interface. Processor 122 allows storage appliance 300 to executecomputer readable instructions stored in memory 124 in order to performprocesses described herein. Processor 122 may include one or moreprocessing units, such as one or more CPUs and/or one or more GPUs.Memory 124 may comprise one or more types of memory (e.g., RAM, SRAM,DRAM, ROM, EEPROM, NOR Flash, NAND Flash, etc.). Disk 126 may include ahard disk drive and/or a solid-state drive. Memory 124 and disk 126 maycomprise hardware storage devices.

In one embodiment, the storage appliance 300 may include four machines.Each of the four machines may include a multi-core CPU, 64 GB of RAM, a400 GB SSD, three 4 TB HDDs, and a network interface controller. In thiscase, the four machines may be in communication with the one or morenetworks 128 via the four network interface controllers. The fourmachines may comprise four nodes of a server cluster. The server clustermay comprise a set of physical machines that are connected together viaa network. The server cluster may be used for storing data associatedwith a plurality of virtual machines, such as backup data associatedwith different point-in-time versions of the virtual machines.

The networked computing environment 100 may provide a cloud computingenvironment for one or more computing devices. Cloud computing may referto Internet-based computing, wherein shared resources, software, and/orinformation may be provided to one or more computing devices on-demandvia the Internet. The networked computing environment 100 may comprise acloud computing environment providing Software-as-a-Service (SaaS) orInfrastructure-as-a-Service (IaaS) services. SaaS may refer to asoftware distribution model in which applications are hosted by aservice provider and made available to end users over the Internet. Inone embodiment, the networked computing environment 100 may include avirtualized infrastructure that provides software, data processing,and/or data storage services to end users accessing the services via thenetworked computing environment 100. In one example, networked computingenvironment 100 may provide cloud-based work productivity orbusiness-related applications to a computing device, such as computingdevice 108. The storage appliance 102 may comprise a cloud-based datamanagement system for backing up virtual machines and/or files within avirtualized infrastructure, such as virtual machines running on server200/or files stored on server 200.

In some cases, networked computing environment 100 may provide remoteaccess to secure applications and files stored within data center 106from a remote computing device, such as computing device 108. The datacenter 106 may use an access control application to manage remote accessto protected resources, such as protected applications, databases, orfiles located within the data center 106. To facilitate remote access tosecure applications and files, a secure network connection may beestablished using a virtual private network (VPN). A VPN connection mayallow a remote computing device, such as computing device 108, tosecurely access data from a private network (e.g., from a company fileserver or mail server) using an unsecure public network or the Internet.The VPN connection may require client-side software (e.g., running onthe remote computing device) to establish and maintain the VPNconnection. The VPN client software may provide data encryption andencapsulation prior to the transmission of secure private networktraffic through the Internet.

In some embodiments, the storage appliance 300 may manage the extractionand storage of virtual machine snapshots associated with different pointin time versions of one or more virtual machines running within the datacenter 106. A snapshot of a virtual machine may correspond with a stateof the virtual machine at a particular point-in-time. In response to arestore command from the storage device 104, the storage appliance 300may restore a point-in-time version of a virtual machine or restorepoint-in-time versions of one or more files located on the virtualmachine and transmit the restored data to the server 200. In response toa mount command from the server 200, the storage appliance 300 may allowa point-in-time version of a virtual machine to be mounted and allow theserver 200 to read and/or modify data associated with the point-in-timeversion of the virtual machine. To improve storage density, the storageappliance 300 may deduplicate and compress data associated withdifferent versions of a virtual machine and/or deduplicate and compressdata associated with different virtual machines. To improve systemperformance, the storage appliance 300 may first store virtual machinesnapshots received from a virtualized environment in a cache, such as aflash-based cache. The cache may also store popular data or frequentlyaccessed data (e.g., based on a history of virtual machine restorations,incremental files associated with commonly restored virtual machineversions) and current day incremental files or incremental filescorresponding with snapshots captured within the past 24 hours.

An incremental file may comprise a forward incremental file or a reverseincremental file. A forward incremental file may include a set of datarepresenting changes that have occurred since an earlier point-in-timesnapshot of a virtual machine. To generate a snapshot of the virtualmachine corresponding with a forward incremental file, the forwardincremental file may be combined with an earlier point in time snapshotof the virtual machine (e.g., the forward incremental file may becombined with the last full image of the virtual machine that wascaptured before the forward incremental file was captured and any otherforward incremental files that were captured subsequent to the last fullimage and prior to the forward incremental file). A reverse incrementalfile may include a set of data representing changes from a laterpoint-in-time snapshot of a virtual machine. To generate a snapshot ofthe virtual machine corresponding with a reverse incremental file, thereverse incremental file may be combined with a later point-in-timesnapshot of the virtual machine (e.g., the reverse incremental file maybe combined with the most recent snapshot of the virtual machine and anyother reverse incremental files that were captured prior to the mostrecent snapshot and subsequent to the reverse incremental file).

The storage appliance 300 may provide a user interface (e.g., aweb-based interface or a graphical user interface) that displays virtualmachine backup information such as identifications of the virtualmachines protected and the historical versions or time machine views foreach of the virtual machines protected. A time machine view of a virtualmachine may include snapshots of the virtual machine over a plurality ofpoints in time. Each snapshot may comprise the state of the virtualmachine at a particular point in time. Each snapshot may correspond witha different version of the virtual machine (e.g., Version 1 of a virtualmachine may correspond with the state of the virtual machine at a firstpoint in time and Version 2 of the virtual machine may correspond withthe state of the virtual machine at a second point in time subsequent tothe first point in time).

The user interface may enable an end user of the storage appliance 300(e.g., a system administrator or a virtualization administrator) toselect a particular version of a virtual machine to be restored ormounted. When a particular version of a virtual machine has beenmounted, the particular version may be accessed by a client (e.g., avirtual machine, a physical machine, or a computing device) as if theparticular version was local to the client. A mounted version of avirtual machine may correspond with a mount point directory (e.g.,/snapshots/VM5Nersion23). In one example, the storage appliance 300 mayrun an NFS server and make the particular version (or a copy of theparticular version) of the virtual machine accessible for reading and/orwriting. The end user of the storage appliance 300 may then select theparticular version to be mounted and run an application (e.g., a dataanalytics application) using the mounted version of the virtual machine.In another example, the particular version may be mounted as an iSCSItarget.

FIG. 2 depicts one embodiment of server 200 of FIG. 1 . The server 200may comprise one server out of a plurality of servers that are networkedtogether within a data center (e.g., data center 106). In one example,the plurality of servers may be positioned within one or more serverracks within the data center. As depicted, the server 200 includeshardware-level components and software-level components. Thehardware-level components include one or more processors 202, one ormore memory 204, and one or more disks 206. The software-levelcomponents include a hypervisor 208, a virtualized infrastructuremanager 222, and one or more virtual machines, such as virtual machine220. The hypervisor 208 may comprise a native hypervisor or a hostedhypervisor. The hypervisor 208 may provide a virtual operating platformfor running one or more virtual machines, such as virtual machine 220.Virtual machine 220 includes a plurality of virtual hardware devicesincluding a virtual processor 210, a virtual memory 212, and a virtualdisk 214. The virtual disk 214 may comprise a file stored within the oneor more disks 206. In one example, a virtual machine 220 may include aplurality of virtual disks 214, with each virtual disk of the pluralityof virtual disks 214 associated with a different file stored on the oneor more disks 206. Virtual machine 220 may include a guest operatingsystem 216 that runs one or more applications, such as application 218.

The virtualized infrastructure manager 222, which may correspond withthe virtualization manager 118 in FIG. 1 , may run on a virtual machineor natively on the server 200. The virtual machine may, for example, beor include the virtual machine 220 or a virtual machine separate fromthe server 200. Other arrangements are possible. The virtualizedinfrastructure manager 222 may provide a centralized platform formanaging a virtualized infrastructure that includes a plurality ofvirtual machines. The virtualized infrastructure manager 222 may managethe provisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. The virtualized infrastructuremanager 222 may perform various virtualized infrastructure relatedtasks, such as cloning virtual machines, creating new virtual machines,monitoring the state of virtual machines, and facilitating backups ofvirtual machines.

In one embodiment, the server 200 may use the virtualized infrastructuremanager 222 to facilitate backups for a plurality of virtual machines(e.g., eight different virtual machines) running on the server 200. Eachvirtual machine running on the server 200 may run its own guestoperating system and its own set of applications. Each virtual machinerunning on the server 200 may store its own set of files using one ormore virtual disks associated with the virtual machine (e.g., eachvirtual machine may include two virtual disks that are used for storingdata associated with the virtual machine).

In one embodiment, a data management application running on a storageappliance, such as storage appliance 102 in FIG. 1 or storage appliance300 in FIG. 1 , may request a snapshot of a virtual machine running onserver 200. The snapshot of the virtual machine may be stored as one ormore files, with each file associated with a virtual disk of the virtualmachine. A snapshot of a virtual machine may correspond with a state ofthe virtual machine at a particular point in time. The particular pointin time may be associated with a time stamp. In one example, a firstsnapshot of a virtual machine may correspond with a first state of thevirtual machine (including the state of applications and files stored onthe virtual machine) at a first point in time and a second snapshot ofthe virtual machine may correspond with a second state of the virtualmachine at a second point in time subsequent to the first point in time.

In response to a request for a snapshot of a virtual machine at aparticular point in time, the virtualized infrastructure manager 222 mayset the virtual machine into a frozen state or store a copy of thevirtual machine at the particular point in time. The virtualizedinfrastructure manager 222 may then transfer data associated with thevirtual machine (e.g., an image of the virtual machine or a portion ofthe image of the virtual machine) to the storage appliance 300 orstorage appliance 102. The data associated with the virtual machine mayinclude a set of files including a virtual disk file storing contents ofa virtual disk of the virtual machine at the particular point in timeand a virtual machine configuration file storing configuration settingsfor the virtual machine at the particular point in time. The contents ofthe virtual disk file may include the operating system used by thevirtual machine, local applications stored on the virtual disk, and userfiles (e.g., images and word processing documents). In some cases, thevirtualized infrastructure manager 222 may transfer a full image of thevirtual machine to the storage appliance 102 or storage appliance 300 ofFIG. 1 or a plurality of data blocks corresponding with the full image(e.g., to enable a full image-level backup of the virtual machine to bestored on the storage appliance). In other cases, the virtualizedinfrastructure manager 222 may transfer a portion of an image of thevirtual machine associated with data that has changed since an earlierpoint in time prior to the particular point in time or since a lastsnapshot of the virtual machine was taken. In one example, thevirtualized infrastructure manager 222 may transfer only data associatedwith virtual blocks stored on a virtual disk of the virtual machine thathave changed since the last snapshot of the virtual machine was taken.In one embodiment, the data management application may specify a firstpoint in time and a second point in time and the virtualizedinfrastructure manager 222 may output one or more virtual data blocksassociated with the virtual machine that have been modified between thefirst point in time and the second point in time.

In some embodiments, the server 200 or the hypervisor 208 maycommunicate with a storage appliance, such as storage appliance 102 inFIG. 1 or storage appliance 300 in FIG. 1 , using a distributed filesystem protocol such as Network File System (NFS) Version 3, or ServerMessage Block (SMB) protocol. The distributed file system protocol mayallow the server 200 or the hypervisor 208 to access, read, write, ormodify files stored on the storage appliance as if the files werelocally stored on the server 200. The distributed file system protocolmay allow the server 200 or the hypervisor 208 to mount a directory or aportion of a file system located within the storage appliance.

FIG. 3 depicts one embodiment of storage appliance 300 in FIG. 1 . Thestorage appliance may include a plurality of physical machines that maybe grouped together and presented as a single computing system. Eachphysical machine of the plurality of physical machines may comprise anode in a cluster (e.g., a failover cluster). In one example, thestorage appliance may be positioned within a server rack within a datacenter. As depicted, the storage appliance 300 includes hardware-levelcomponents and software-level components. The hardware-level componentsinclude one or more physical machines, such as physical machine 314 andphysical machine 324. The physical machine 314 includes a networkinterface 316, processor 318, memory 320, and disk 322 all incommunication with each other. Processor 318 allows physical machine 314to execute computer readable instructions stored in memory 320 toperform processes described herein. Disk 322 may include a hard diskdrive and/or a solid-state drive. The physical machine 324 includes anetwork interface 326, processor 328, memory 330, and disk 332 all incommunication with each other. Processor 328 allows physical machine 324to execute computer readable instructions stored in memory 330 toperform processes described herein. Disk 332 may include a hard diskdrive and/or a solid-state drive. In some cases, disk 332 may include aflash-based SSD or a hybrid HDD/SSD drive. In one embodiment, thestorage appliance 300 may include a plurality of physical machinesarranged in a cluster (e.g., eight machines in a cluster). Each of theplurality of physical machines may include a plurality of multi-coreCPUs, 108 GB of RAM, a 500 GB SSD, four 4 TB HDDs, and a networkinterface controller.

In some embodiments, the plurality of physical machines may be used toimplement a cluster-based network fileserver. The cluster-based networkfile server may neither require nor use a front-end load balancer. Oneissue with using a front-end load balancer to host the IP address forthe cluster-based network file server and to forward requests to thenodes of the cluster-based network file server is that the front-endload balancer comprises a single point of failure for the cluster-basednetwork file server. In some cases, the file system protocol used by aserver, such as server 200 in FIG. 1 , or a hypervisor, such ashypervisor 208 in FIG. 2 , to communicate with the storage appliance 300may not provide a failover mechanism (e.g., NFS Version 3). In the casethat no failover mechanism is provided on the client side, thehypervisor may not be able to connect to a new node within a cluster inthe event that the node connected to the hypervisor fails.

In some embodiments, each node in a cluster may be connected to eachother via a network and may be associated with one or more IP addresses(e.g., two different IP addresses may be assigned to each node). In oneexample, each node in the cluster may be assigned a permanent IP addressand a floating IP address and may be accessed using either the permanentIP address or the floating IP address. In this case, a hypervisor, suchas hypervisor 208 in FIG. 2 , may be configured with a first floating IPaddress associated with a first node in the cluster. The hypervisor mayconnect to the cluster using the first floating IP address. In oneexample, the hypervisor may communicate with the cluster using the NFSVersion 3 protocol. Each node in the cluster may run a Virtual RouterRedundancy Protocol (VRRP) daemon. A daemon may comprise a backgroundprocess. Each VRRP daemon may include a list of all floating IPaddresses available within the cluster. In the event that the first nodeassociated with the first floating IP address fails, one of the VRRPdaemons may automatically assume or pick up the first floating IPaddress if no other VRRP daemon has already assumed the first floatingIP address. Therefore, if the first node in the cluster fails orotherwise goes down, then one of the remaining VRRP daemons running onthe other nodes in the cluster may assume the first floating IP addressthat is used by the hypervisor for communicating with the cluster.

In order to determine which of the other nodes in the cluster willassume the first floating IP address, a VRRP priority may beestablished. In one example, given a number (N) of nodes in a clusterfrom node(0) to node(N−1), for a floating IP address (i), the VRRPpriority of nodeG) may be G-i) modulo N. In another example, given anumber (N) of nodes in a cluster from node(0) to node(N−1), for afloating IP address (i), the VRRP priority of nodeG) may be (i j) moduloN. In these cases, nodeG) will assume floating IP address (i) only ifits VRRP priority is higher than that of any other node in the clusterthat is alive and announcing itself on the network. Thus, if a nodefails, then there may be a clear priority ordering for determining whichother node in the cluster will take over the failed node's floating IPaddress.

In some cases, a cluster may include a plurality of nodes and each nodeof the plurality of nodes may be assigned a different floating IPaddress. In this case, a first hypervisor may be configured with a firstfloating IP address associated with a first node in the cluster, asecond hypervisor may be configured with a second floating IP addressassociated with a second node in the cluster, and a third hypervisor maybe configured with a third floating IP address associated with a thirdnode in the cluster.

As depicted in FIG. 3 , the software-level components of the storageappliance 300 may include data management system 302, a virtualizationinterface 304, a distributed job scheduler 308, a distributed metadatastore 310, a distributed file system 312, and one or more virtualmachine search indexes, such as virtual machine search index 306. In oneembodiment, the software-level components of the storage appliance 300may be run using a dedicated hardware-based appliance. In anotherembodiment, the software-level components of the storage appliance 300may be run from the cloud (e.g., the software-level components may beinstalled on a cloud service provider).

In some cases, the data storage across a plurality of nodes in a cluster(e.g., the data storage available from the one or more physical machine(e.g., physical machine 314 and physical machine 324)) may be aggregatedand made available over a single file system namespace (e.g.,/snapshots/). A directory for each virtual machine protected using thestorage appliance 300 may be created (e.g., the directory for VirtualMachine A may be /snapshots/VM_A). Snapshots and other data associatedwith a virtual machine may reside within the directory for the virtualmachine. In one example, snapshots of a virtual machine may be stored insubdirectories of the directory (e.g., a first snapshot of VirtualMachine A may reside in /snapshots/VM_A/s1/ and a second snapshot ofVirtual Machine A may reside in /snapshots/VM_A/s2/).

The distributed file system 312 may present itself as a single filesystem, in which as new physical machines or nodes are added to thestorage appliance 300, the cluster may automatically discover theadditional nodes and automatically increase the available capacity ofthe file system for storing files and other data. Each file stored inthe distributed file system 312 may be partitioned into one or morechunks or shards. Each of the one or more chunks may be stored withinthe distributed file system 312 as a separate file. The files storedwithin the distributed file system 312 may be replicated or mirroredover a plurality of physical machines, thereby creating a load-balancedand fault tolerant distributed file system. In one example, storageappliance 300 may include ten physical machines arranged as a failovercluster and a first file corresponding with a snapshot of a virtualmachine (e.g., /snapshots/VM_A/s1.s1.full) may be replicated and storedon three of the ten machines.

The distributed metadata store 310 may include a distributed databasemanagement system that provides high availability without a single pointof failure. In one embodiment, the distributed metadata store 310 maycomprise a database, such as a distributed document-oriented database.The distributed metadata store 310 may be used as a distributed keyvalue storage system. In one example, the distributed metadata store 310may comprise a distributed NoSQL key value store database. In somecases, the distributed metadata store 310 may include a partitioned rowstore, in which rows are organized into tables or other collections ofrelated data held within a structured format within the key value storedatabase. A table (or a set of tables) may be used to store metadatainformation associated with one or more files stored within thedistributed file system 312. The metadata information may include thename of a file, a size of the file, file permissions associated with thefile, when the file was last modified, and file mapping informationassociated with an identification of the location of the file storedwithin a cluster of physical machines.

In one embodiment, a new file corresponding with a snapshot of a virtualmachine may be stored within the distributed file system 312 andmetadata associated with the new file may be stored within thedistributed metadata store 310. The distributed metadata store 310 mayalso be used to store a backup schedule for the virtual machine and alist of snapshots for the virtual machine that are stored using thestorage appliance 300. In some examples, the metadata for a snapshot mayinclude a time when the snapshot was taken, an expiration time for thesnapshot, a quarantine status of the snapshot, and anomalous status ofthe snapshot (e.g., if malware is identified in the snapshot duringingestion, etc.).

In some cases, the distributed metadata store 310 may be used to manageone or more versions of a virtual machine. Each version of the virtualmachine may correspond with a full image snapshot of the virtual machinestored within the distributed file system 312 or an incremental snapshotof the virtual machine (e.g., a forward incremental or reverseincremental) stored within the distributed file system 312. In oneembodiment, the one or more versions of the virtual machine maycorrespond with a plurality of files. The plurality of files may includea single full image snapshot of the virtual machine and one or moreincremental aspects derived from the single full image snapshot. Thesingle full image snapshot of the virtual machine may be stored using afirst storage device of a first type (e.g., an HDD) and the one or moreincremental aspects derived from the single full image snapshot may bestored using a second storage device of a second type (e.g., an SSD). Inthis case, only a single full image needs to be stored and each versionof the virtual machine may be generated from the single full image orthe single full image combined with a subset of the one or moreincremental aspects. Furthermore, each version of the virtual machinemay be generated by performing a sequential read from the first storagedevice (e.g., reading a single file from an HDD) to acquire the fullimage and, in parallel, performing one or more reads from the secondstorage device (e.g., performing fast random reads from an SSD) toacquire the one or more incremental aspects.

The distributed job scheduler 308 may be used for scheduling backup jobsthat acquire and store virtual machine snapshots for one or more virtualmachines over time. The distributed job scheduler 308 may follow abackup schedule to back up an entire image of a virtual machine at aparticular point in time or one or more virtual disks associated withthe virtual machine at the particular point in time. In one example, thebackup schedule may specify that the virtual machine be backed up at asnapshot capture frequency, such as every two hours or every 24 hours.Each backup job may be associated with one or more tasks to be performedin a sequence. Each of the one or more tasks associated with a job maybe run on a particular node within a cluster. In some cases, thedistributed job scheduler 308 may schedule a specific job to be run on aparticular node based on data stored on the particular node. Forexample, the distributed job scheduler 308 may schedule a virtualmachine snapshot job to be run on a node in a cluster that is used tostore snapshots of the virtual machine in order to reduce networkcongestion.

The distributed job scheduler 308 may comprise a distributed faulttolerant job scheduler, in which jobs affected by node failures arerecovered and rescheduled to be run on available nodes. In oneembodiment, the distributed job scheduler 308 may be fully decentralizedand implemented without the existence of a master node. The distributedjob scheduler 308 may run job scheduling processes on each node in acluster or on a plurality of nodes in the cluster. In one example, thedistributed job scheduler 308 may run a first set of job schedulingprocesses on a first node in the cluster, a second set of job schedulingprocesses on a second node in the cluster, and a third set of jobscheduling processes on a third node in the cluster. The first set ofjob scheduling processes, the second set of job scheduling processes,and the third set of job scheduling processes may store informationregarding jobs, schedules, and the states of jobs using a metadatastore, such as distributed metadata store 310. In the event that thefirst node running the first set of job scheduling processes fails(e.g., due to a network failure or a physical machine failure), thestates of the jobs managed by the first set of job scheduling processesmay fail to be updated within a threshold period of time (e.g., a jobmay fail to be completed within 30 seconds or within minutes from beingstarted). In response to detecting jobs that have failed to be updatedwithin the threshold period of time, the distributed job scheduler 308may undo and restart the failed jobs on available nodes within thecluster.

The job scheduling processes running on at least a plurality of nodes ina cluster (e.g., on each available node in the cluster) may manage thescheduling and execution of a plurality of jobs. The job schedulingprocesses may include run processes for running jobs, cleanup processesfor cleaning up failed tasks, and rollback processes for rolling-back orundoing any actions or tasks performed by failed jobs. In oneembodiment, the job scheduling processes may detect that a particulartask for a particular job has failed and in response may perform acleanup process to clean up or remove the effects of the particular taskand then perform a rollback process that processes one or more completedtasks for the particular job in reverse order to undo the effects of theone or more completed tasks. Once the particular job with the failedtask has been undone, the job scheduling processes may restart theparticular job on an available node in the cluster.

The distributed job scheduler 308 may manage a job in which a series oftasks associated with the job are to be performed atomically (i.e.,partial execution of the series of tasks is not permitted). If theseries of tasks cannot be completely executed or there is any failurethat occurs to one of the series of tasks during execution (e.g., a harddisk associated with a physical machine fails or a network connection tothe physical machine fails), then the state of a data management systemmay be returned to a state as if none of the series of tasks was everperformed. The series of tasks may correspond with an ordering of tasksfor the series of tasks and the distributed job scheduler 308 may ensurethat each task of the series of tasks is executed based on the orderingof tasks. Tasks that do not have dependencies with each other may beexecuted in parallel.

In some cases, the distributed job scheduler 308 may schedule each taskof a series of tasks to be performed on a specific node in a cluster. Inother cases, the distributed job scheduler 308 may schedule a first taskof the series of tasks to be performed on a first node in a cluster anda second task of the series of tasks to be performed on a second node inthe cluster. In these cases, the first task may have to operate on afirst set of data (e.g., a first file stored in a file system) stored onthe first node and the second task may have to operate on a second setof data (e.g., metadata related to the first file that is stored in adatabase) stored on the second node. In some embodiments, one or moretasks associated with a job may have an affinity to a specific node in acluster.

In one example, if the one or more tasks require access to a databasethat has been replicated on three nodes in a cluster, then the one ormore tasks may be executed on one of the three nodes. In anotherexample, if the one or more tasks require access to multiple chunks ofdata associated with a virtual disk that has been replicated over fournodes in a cluster, then the one or more tasks may be executed on one ofthe four nodes. Thus, the distributed job scheduler 308 may assign oneor more tasks associated with a job to be executed on a particular nodein a cluster based on the location of data required to be accessed bythe one or more tasks.

In one embodiment, the distributed job scheduler 308 may manage a firstjob associated with capturing and storing a snapshot of a virtualmachine periodically (e.g., every 30 minutes). The first job may includeone or more tasks, such as communicating with a virtualizedinfrastructure manager, such as the virtualized infrastructure manager222 in FIG. 2 , to create a frozen copy of the virtual machine and totransfer one or more chunks (or one or more files) associated with thefrozen copy to a storage appliance, such as storage appliance 300 inFIG. 1 . The one or more tasks may also include generating metadata forthe one or more chunks, storing the metadata using the distributedmetadata store 310, storing the one or more chunks within thedistributed file system 312, and communicating with the virtualizedinfrastructure manager 222 that the frozen copy of the virtual machinemay be unfrozen or released from a frozen state. The metadata for afirst chunk of the one or more chunks may include information specifyinga version of the virtual machine associated with the frozen copy, a timeassociated with the version (e.g., the snapshot of the virtual machinewas taken at 5:30 p.m. on Jun. 29, 2018), and a file path to where thefirst chunk is stored within the distributed file system 92 (e.g., thefirst chunk is located at /snapshotsNM_B/s1/s1.chunk1). The one or moretasks may also include deduplication, compression (e.g., using alossless data compression algorithm such as LZ4 or LZ77), decompression,encryption (e.g., using a symmetric key algorithm such as Triple DES orAES-256), and decryption related tasks.

The virtualization interface 304 may provide an interface forcommunicating with a virtualized infrastructure manager managing avirtualization infrastructure, such as virtualized infrastructuremanager 222 in FIG. 2 , and requesting data associated with virtualmachine snapshots from the virtualization infrastructure. Thevirtualization interface 304 may communicate with the virtualizedinfrastructure manager using an Application Programming Interface (API)for accessing the virtualized infrastructure manager (e.g., tocommunicate a request for a snapshot of a virtual machine). In thiscase, storage appliance 300 may request and receive data from avirtualized infrastructure without requiring agent software to beinstalled or running on virtual machines within the virtualizedinfrastructure. The virtualization interface 304 may request dataassociated with virtual blocks stored on a virtual disk of the virtualmachine that have changed since a last snapshot of the virtual machinewas taken or since a specified prior point in time. Therefore, in somecases, if a snapshot of a virtual machine is the first snapshot taken ofthe virtual machine, then a full image of the virtual machine may betransferred to the storage appliance. However, if the snapshot of thevirtual machine is not the first snapshot taken of the virtual machine,then only the data blocks of the virtual machine that have changed sincea prior snapshot was taken may be transferred to the storage appliance.

The virtual machine search index 306 may include a list of files thathave been stored using a virtual machine and a version history for eachof the files in the list. Each version of a file may be mapped to theearliest point-in-time snapshot of the virtual machine that includes theversion of the file or to a snapshot of the virtual machine thatincludes the version of the file (e.g., the latest point in timesnapshot of the virtual machine that includes the version of the file).In one example, the virtual machine search index 306 may be used toidentify a version of the virtual machine that includes a particularversion of a file (e.g., a particular version of a database, aspreadsheet, or a word processing document). In some cases, each of thevirtual machines that are backed up or protected using storage appliance300 may have a corresponding virtual machine search index.

In one embodiment, as each snapshot of a virtual machine is ingested,each virtual disk associated with the virtual machine is parsed in orderto identify a file system type associated with the virtual disk and toextract metadata (e.g., file system metadata) for each file stored onthe virtual disk. The metadata may include information for locating andretrieving each file from the virtual disk. The metadata may alsoinclude a name of a file, the size of the file, the last time at whichthe file was modified, and a content checksum for the file. Each filethat has been added, deleted, or modified since a previous snapshot wascaptured may be determined using the metadata (e.g., by comparing thetime at which a file was last modified with a time associated with theprevious snapshot). Thus, for every file that has existed within any ofthe snapshots of the virtual machine, a virtual machine search index maybe used to identify when the file was first created (e.g., correspondingwith a first version of the file) and at what times the file wasmodified (e.g., corresponding with subsequent versions of the file).Each version of the file may be mapped to a particular version of thevirtual machine that stores that version of the file.

In some cases, if a virtual machine includes a plurality of virtualdisks, then a virtual machine search index may be generated for eachvirtual disk of the plurality of virtual disks. For example, a firstvirtual machine search index may catalog and map files located on afirst virtual disk of the plurality of virtual disks and a secondvirtual machine search index may catalog and map files located on asecond virtual disk of the plurality of virtual disks. In this case, aglobal file catalog or a global virtual machine search index for thevirtual machine may include the first virtual machine search index andthe second virtual machine search index. A global file catalog may bestored for each virtual machine backed up by a storage appliance withina file system, such as distributed file system 312 in FIG. 3 .

The data management system 302 may comprise an application running onthe storage appliance 300 that manages and stores one or more snapshotsof a virtual machine. In one example, the data management system 302 maycomprise a highest-level layer in an integrated software stack runningon the storage appliance. The integrated software stack may include thedata management system 302, the virtualization interface 304, thedistributed job scheduler 308, the distributed metadata store 310, andthe distributed file system 312.

In some cases, the integrated software stack may run on other computingdevices, such as a server or computing device 108 in FIG. 1 . The datamanagement system 302 may use the virtualization interface 304, thedistributed job scheduler 308, the distributed metadata store 310, andthe distributed file system 312 to manage and store one or moresnapshots of a virtual machine. Each snapshot of the virtual machine maycorrespond with a point-in-time version of the virtual machine. The datamanagement system 302 may generate and manage a list of versions for thevirtual machine. Each version of the virtual machine may map to orreference one or more chunks and/or one or more files stored within thedistributed file system 312. Combined together, the one or more chunksand/or the one or more files stored within the distributed file system312 may comprise a full image of the version of the virtual machine.

FIG. 4 shows an example cluster 400 of a distributed decentralizeddatabase, according to some example embodiments. As illustrated, theexample cluster 400 includes five nodes, nodes 1-5. In some exampleembodiments, each of the five nodes runs from different machines, suchas physical machine 314 in FIG. 3 or virtual machine 220 in FIG. 2 . Thenodes in the example cluster 400 can include instances of peer nodes ofa distributed database (e.g., cluster-based database, distributeddecentralized database management system, a NoSQL database, ApacheCassandra, DataStax, MongoDB, CouchDB), according to some exampleembodiments. The distributed database system is distributed in that datais sharded or distributed across the example cluster 400 in shards orchunks and decentralized in that there is no central storage device andno single point of failure. The system operates under an assumption thatmultiple nodes may go down, up, or become non-responsive, and so on.Sharding is splitting up of the data horizontally and managing eachshard separately on different nodes. For example, if the data managed bythe example cluster 400 can be indexed using the 26 letters of thealphabet, node 1 can manage a first shard that handles records thatstart with A through E, node 2 can manage a second shard that handlesrecords that start with F through J, and so on.

In some example embodiments, data written to one of the nodes isreplicated to one or more other nodes per a replication protocol of theexample cluster 400. For example, data written to node 1 can bereplicated to nodes 2 and 3. If node 1 prematurely terminates, node 2and/or 3 can be used to provide the replicated data. In some exampleembodiments, each node of example cluster 400 frequently exchanges stateinformation about itself and other nodes across the example cluster 400using gossip protocol. Gossip protocol is a peer-to-peer communicationprotocol in which each node randomly shares (e.g., communicates,requests, transmits) location and state information about the othernodes in a given cluster.

Writing: For a given node, a sequentially written commit log capturesthe write activity to ensure data durability. The data is then writtento an in-memory structure (e.g., a memtable, write-back cache). Eachtime the in-memory structure is full, the data is written to disk in aSorted String Table data file. In some example embodiments, writes areautomatically partitioned and replicated throughout the example cluster400.

Reading: Any node of example cluster 400 can receive a read request(e.g., query) from an external client. If the node that receives theread request manages the data requested, the node provides the requesteddata. If the node does not manage the data, the node determines whichnode manages the requested data. The node that received the read requestthen acts as a proxy between the requesting entity and the node thatmanages the data (e.g., the node that manages the data sends the data tothe proxy node, which then provides the data to an external entity thatgenerated the request).

The distributed decentralized database system is decentralized in thatthere is no single point of failure due to the nodes being symmetricaland seamlessly replaceable. For example, whereas conventionaldistributed data implementations have nodes with different functions(e.g., master/slave nodes, asymmetrical database nodes, federateddatabases), the nodes of example cluster 400 are configured to functionthe same way (e.g., as symmetrical peer database nodes that communicatevia gossip protocol, such as Cassandra nodes) with no single point offailure. If one of the nodes in example cluster 400 terminatesprematurely (“goes down”), another node can rapidly take the place ofthe terminated node without disrupting service. The example cluster 400can be a container for a keyspace, which is a container for data in thedistributed decentralized database system (e.g., whereas a database is acontainer for containers in conventional relational databases, theCassandra keyspace is a container for a Cassandra database system).

FIG. 5 depicts a block diagram of a malware engine 502 according to anexample embodiment. The malware engine 502 comprises a hydrator 504, amounter 506, a detector 508, a Yet Another Recursive/Ridiculous AcronymYARA rules 510, hashes 512, a flagger 514, a recoverer 516, a privilegedeterminator 518, user privileges 520, a propagator 522, and a graphicaluser interface GUI 524.

As will be discussed in more detail below, the malware engine 502detects indicators of compromise that is present on a snapshot of anobject (e.g., virtual machine, database, file system, etc.) that showsthe snapshot may have been compromised by malware, such as ransomware.Ransomware is a piece of malware which infects an enterprise andencrypts its data. Embodiments enable an enterprise to quickly recoverall protected objects to a safe copy, bringing the business back onlineas soon as possible, cutting out the malware from IT infrastructure, andrestoring the maximum amount of data possible.

In order to initiate a recovery, the malware engine 502 determines themost recent point in time snapshot for each object that was not infectedand enables push-button recovery of the determined snapshot using theGUI 524. Specifically, a user can select an object or objects with theGUI 524 to scan snapshots in a snapshot chain of the object, e.g.,starting with a most recent snapshot and scanning successively oldersnapshots (or skipping snapshots) in a snapshot chain (reversechronological order or other order). Alternatively, a user can specify arange of snapshot to scan as well as specific objects, directories, etc.For each snapshot, the hydrator 504 will hydrate the snapshot (e.g.,materialize/instantiate the snapshot e.g., via zero data copy) and themounter 506 will mount (e.g., read without necessarily writing ortransferring data as in a restore) the hydrated snapshot in a virtualmachine (e.g., created by the hypervisor 208), which may be sandboxed(e.g., no or limited network access) via, for example, user-mode Linux.The detector 508 then scans the mounted snapshot using YARA rules 510and/or hashes 512 for malware. YARA rules 510 are a domain-specificlanguage by which intelligence about indicators of compromise can bewritten and shared for threat hunting purposes. They typically allow forthe specification of text or binary based indicators.

The detector 508 can be set to scan for malware based on all or a subsetof the hashes 512 and/or the YARA rules 510. For example, a query may befiles with hashes A and B modified in the past month. Scanning may alsobe done by filename. After a snapshot is determined to be infected basedon the presence of an indicator of compromise (e.g., matching hashand/or satisfied YARA rule), the GUI 524 can display an interfaceshowing infected versus non-infected snapshots as in example interface700. The detector 508 can be deployed so that it examines all objects ina system and displays results for all objects as shown in the exampleinterface 700.

The recoverer 516 recovers (e.g., restores, reads, mounts, etc.)non-infected snapshots, and, subject to user privileges 520, can recoverinfected snapshots and content (files) for forensic analysis, e.g., to asandboxed virtual machine. The recoverer 516 can also restorenon-infected files on infected snapshots. The privilege determinator 518optionally limits what snapshots or content can be restored based on theuser privileges 520. For example, by default, only non-infectedsnapshots may be restored. However, per user privileges 520, infectedsnapshots may be restored if a specific user requesting the restore hashigh enough privileges.

The propagator 522 propagates an infected (quarantine) status for asnapshot or content therein to other locations where a snapshot may be,e.g., archives or replicas of the snapshot, so that the duplicate of theinfected snapshot isn't accidentally restored, thereby spreadingmalware.

FIG. 6 depicts a flowchart illustrating a method 600 of scanning asnapshot for malware according to an example embodiment. In an exampleembodiment, the storage appliance 300 can execute the method 600 usingthe malware engine 502. Example methods described herein may also beimplemented in the form of executable instructions stored on amachine-readable medium or in the form of electronic circuitry. Forinstance, the operations of the method 600 may be represented byexecutable instructions that, when executed by a processor of acomputing device, cause the computing device to perform the method 600.Depending on the embodiment, an operation of an example method describedherein may be repeated in different ways or involve interveningoperations not shown. Though the operations of example methods may bedepicted and described in a certain order, the order in which theoperations are performed may vary among embodiments, includingperforming certain operations in parallel.

At operation 602, the hypervisor 208 generates a virtual machine, e.g.,virtual machine 220, which can be sandboxed (e.g., no or limited networkaccess to prevent the spread of malware to other parts of a network). Asnapshot is then mounted at operation 604, e.g., with Rubrik'sLIVEMOUNT. The snapshot may be part of a snapshot chain and accordingly,a most recent snapshot may be mounted or a specific snapshot selectedfor mounting. A range of snapshots can be specified as well as,snapshots of objects and/or directories. Data within the snapshot isthen hydrated with the hydrator 504 at operation 606, which can includematerializing/instantiating the snapshot.

The detector 508 then searches the mounted hydrated snapshot for malwareat operation 608. Searching can include applying YARA rules 510 and/orlooking for matching hashes 512 (e.g., MD5, SHA1, and/or SHA256) and/orlooking for specific file names (e.g., by name, such asABAP/Rivpas.c.intd, and/or by path prefix) and/or path matches. The YARArules 510 and/or hashes 512 may be imported (e.g., if new YARA rules 510or hashes 512 are created) and the detector 508 can search for malware608 using all or a subset of the YARA rules 510 and/or hashes 512.

For example, given a set of Indicators of Compromise encoded as YARArules in a CISA alert (such as Alert (AA20-302A) Ransomware ActivityTargeting the Healthcare and Public Health Sector), the detector 508identifies any snapshots where those indicators were found. In someexamples, the detector 508 identifies files associated with theindicators. Additionally, or alternatively, the detector 508 may receivea set of suspicious file hashes or file paths (such as from Microsoft'sHafnium IOC list) and may identify snapshots including the suspiciousfile hashes or file paths. In some examples, the detector 508 mayanalyze each file in a snapshot using one or more of: the YARA rules,suspicious file hashes, and suspicious file paths. Accordingly, thedetector 508 may detect malware (e.g., infected files), maliciouslyencrypted data, or both. Additionally, or alternatively, the detector508 may analyze sectors of a snapshot (including multiple files) or anentire snapshot using one or more of: the YARA rules, suspicious filehashes, and suspicious file paths.

Further, the detector 508 may restrict a search to specific snapshots orrange of snapshots, a subset of files/directories and/or scan a replicaof a snapshot instead an original snapshot. Restricting the search caninclude specific subsets of files or directories; file size limits, filecreation/modification timestamps (e.g., before, after, or betweentimestamp(s)); file ownership; and files added/modified in a currentsnapshot (i.e., files that were not in prior snapshot or modified sincethat snapshot). Note that once a file in a snapshot is determined to beinfected, it can be inferred that all later snapshots are infected (evenif outside of a set range) and/or that specific file in the snapshotwill be infected in later snapshots.

If, at operation 610, malware is detected, then a next most recentsnapshot in the snapshot chain is mounted and the process is repeateduntil no malware is detected at operation 610. Further, in case of falsenegatives, additional snapshots in the chain can be scanned after nomalware is detected in operation 610. Alternatively, the mounting 604through the detecting 610 can start with an oldest or base snapshot andassuming no malware was detected in the base snapshot, repeating theprocess until malware is detected. Further, once malware is detected ina snapshot, the remainder of the snapshot does not need to be scannedand the next snapshot in the snapshot chain can be searched for malware.

Further, the mounting 604 through the detecting 610 can be repeated forall or some objects of a system including virtual machines, filesystems, databases, network attached storage, etc. When malware isdetected, metadata in the snapshot can be adjusted to indicatequarantine status. For example, quarantine-related metadata for theinfected snapshots (e.g., quarantine status metadata, among otherquarantine-related metadata) may be updated for the infected snapshot.

At operation 612, the GUI 524 generates an interface, such as exampleinterface 700, as will be discussed in further detail in conjunctionwith FIG. 7 . For each object, the example interface 700 can showsnapshots over time with a status (e.g., color coded) of each snapshot(infected, not infected, encrypted, infected and partially encrypted).The example interface 700 may also illustrate a cut point above whichsnapshots are quarantined due to infection (e.g., not recoverable,recovery not permitted, recoverable with sufficient user privileges,partially recoverable, etc.). The GUI 524 may display object(s) scanned(VM, Host/Share/fileset, etc.); snapshot(s) scanned; Date/time of scan;scan filter criteria; Hash/Rules, etc. being scanned for (e.g., for YARARules: i. Rule name ii. Namespace iii. Tags iv. Hash of the rule, etc.);number of matched files; and number of matches; etc.

The GUI 524 may also provide detailed results after a searchincluding: 1. The file name & path where a match was found 2. The rule(hash, or YARA name, namespace and tags) that were matched 3. The timewhen this file was created 4. The time when this file was modified 5.The owner of this file a. Their fully qualified name (if retrievable) b.Any security identifier (e.g., SID for Windows, User ID for Linux/Unix)6. The MD5, SHA1, and SHA256 hashes of this file, etc.

A user then, using an interface such as the example interface 700,enters a command to recover a snapshot, which is received at operation614. If the selected snapshot is determined to be quarantined atoperation 616, then the method 600 ends. Else, the snapshot can berecovered by the recoverer 516 at operation 618, which can includemounting and/or restoring, etc. to a specified destination.

Accordingly, the method 600 enables users to recover data in infectedsystem without compromising recovered systems. For example, the method600 enables users to restore an object to a point prior to a malwareinfection by quickly identifying healthy snapshots that can be used toperform a full system restore. Further, as the method 600 quarantinesinfected snapshots, the method 600 prevents reinfection by malware.

FIG. 7 depicts an example interface 700 according to an exampleembodiment. The GUI 524 generates the example interface 700 in oneembodiment. The example interface 700 illustrates, for each object, asnapshot chain (e.g., in chronological order) and the status of eachsnapshot in each chain (or for the specified snapshots or rangescanned). Further, the example interface 700 may illustrate a cut pointindicating a quarantining of snapshots due to infection. For example,snapshots 702 and 708 are below the cut point and therefore not infectedand can be restored and not quarantined. On the other hand, snapshot 704is infected with malware while snapshot 706 is infected with malware andpartially encrypted by that malware. On the other hand, snapshot 710 isfully encrypted by malware (which can be determined via entropymeasurement).

FIG. 8 depicts a flowchart illustrating a method 800 of recovering anon-infected file in an infected snapshot according to an exampleembodiment. In an example embodiment, the storage appliance 300 canexecute the method 800 using the malware engine 502. Example methodsdescribed herein may also be implemented in the form of executableinstructions stored on a machine-readable medium or in the form ofelectronic circuitry. For instance, the operations of the method 800 maybe represented by executable instructions that, when executed by aprocessor of a computing device, cause the computing device to performthe method 800. Depending on the embodiment, an operation of an examplemethod described herein may be repeated in different ways or involveintervening operations not shown. Though the operations of examplemethods may be depicted and described in a certain order, the order inwhich the operations are performed may vary among embodiments, includingperforming certain operations in parallel.

At operation 802, the hypervisor 208 generates a virtual machine, e.g.,virtual machine 220, which can be sandboxed (e.g., no or minimal networkaccess to prevent the spread of malware to other parts of a network). Asnapshot is then mounted at operation 804, e.g., with Rubrik'sLIVEMOUNT. The snapshot may be part of a snapshot chain and accordingly,a most recent snapshot may be mounted or a specific snapshot selectedfor mounting. Data within the snapshot is then hydrated with thehydrator 504 at operation 806. The detector 508 then searches themounted hydrated snapshot for malware at operation 808. Searching caninclude applying YARA rules 510 and/or looking for matching hashes 512(e.g., MD5, SHA1, and/or SHA256) and/or looking for specific file names(e.g., by name, such as ABAP/Rivpas.c.intd, and/or by path prefix)and/or path matches. The YARA rules 510 and/or hashes 512 may beimported (e.g., if new YARA rules 510 or hashes 512 are created) and thedetector 508 can search for malware 808 using all or a subset of theYARA rules 510 and/or the hashes 512.

For example, given a set of Indicators of Compromise encoded as YARArules in a CISA alert (such as Alert (AA20-302A) Ransomware ActivityTargeting the Healthcare and Public Health Sector), the detector 508 mayidentify any snapshots, file paths, or both, where those indicators werefound. Or, given a set of suspicious file hashes or file paths (such asfrom Microsoft's Hafnium IOC list), the detector 508 may identify thosesnapshots, file paths, or both as well.

Further, the detector 508 may restrict a search to a range of snapshots,a subset of files/directories and/or scan a replica of a snapshotinstead an original snapshot. Restricting the search can includespecific snapshots or range of snapshots, specific subsets of files ordirectories; file size limits, file creation/modification timestamps(e.g., before, after between timestamp(s)); file ownership; and filesadded/modified in a current snapshot (i.e., files that were not in priorsnapshot or modified since that snapshot). Note that once a file in asnapshot is determined to be infected, it can be inferred that all latersnapshots are infected (even if outside of a set range) and/or thatspecific file in the snapshot will be infected in later snapshots.

If, at operation 810, malware is detected, then a next most recentsnapshot in the snapshot chain is mounted and the process is repeateduntil no malware is detected at operation 810. Further, in case of falsenegatives, additional snapshots in the chain can be scanned after nomalware is detected in operation 810. Alternatively, the mounting 804through the detecting 810 can start with an oldest or base snapshot andassuming no malware was detected in the base snapshot, repeating theprocess until malware is detected.

Further, the mounting 804 through the detecting 810 can be repeated forall objects of a system including virtual machines, file systems,databases, network attached storage, etc. When malware is detected,metadata in the snapshot can be adjusted to indicate quarantine status.

After the searching 808 is complete, the infected snapshots arequarantined at operation 812, e.g., by adjusting metadata of theinfected snapshots (e.g., changing a bit in the metadata for a fieldthat indicates infected, encrypted, etc.). For example,quarantine-related metadata for the infected snapshots (e.g., quarantinestatus metadata, among other quarantine-related metadata) may be updatedfor the infected snapshot.

At operation 814, the GUI 524 generates an interface, such as theexample interface 700. For each object, the example interface 700 canshow snapshots over time with a status (e.g., color coded) of eachsnapshot (infected, not infected, encrypted, infected and partiallyencrypted). The example interface 700 may also illustrate a cut pointabove which snapshots are quarantined (e.g., not recoverable, recoverynot permitted, recoverable with sufficient user privileges, partiallyrecoverable, etc.). The GUI 524 may display object(s) scanned (VM,Host/Share/fileset, etc.); snapshot(s) scanned; Date/time of scan; scanfilter criteria; Hash/Rules, etc. being scanned for (e.g., for YARARules: i. Rule name ii. Namespace iii. Tags iv. Hash of the rule, etc.);number of matched files; and number of matches; etc.

The GUI 524 may also provide detailed results after a searchincluding: 1. The file name & path where a match was found 2. The rule(hash, or YARA name, namespace and tags) that were matched 3. The timewhen this file was created 4. The time when this file was modified 5.The owner of this file a. Their fully qualified name (if retrievable) b.Any security identifier (e.g., SID for Windows, User ID for Linux/Unix)6. The MD5, SHA1, and SHA256 hashes of this file, etc.

A user then selects an infected snapshot, and the GUI 524 displays alist of non-infected files in the infected snapshot at operation 816 asdetermined by the search for malware at operation 808. Per a usercommand, a selected non-infected file from the infected snapshot is thenrecovered (e.g., mounted, restored, viewed, etc.) at operation 820 withthe recoverer 516. The method 800 then ends.

FIG. 9 depicts a flowchart illustrating a method 900 of recovering aninfected snapshot according to an example embodiment. In an exampleembodiment, the storage appliance 300 can execute the method 900 usingthe malware engine 502. Example methods described herein may also beimplemented in the form of executable instructions stored on amachine-readable medium or in the form of electronic circuitry. Forinstance, the operations of the method 900 may be represented byexecutable instructions that, when executed by a processor of acomputing device, cause the computing device to perform the method 900.Depending on the embodiment, an operation of an example method describedherein may be repeated in different ways or involve interveningoperations not shown. Though the operations of example methods may bedepicted and described in a certain order, the order in which theoperations are performed may vary among embodiments, includingperforming certain operations in parallel.

At operation 902, the hypervisor 208 generates a virtual machine, e.g.,virtual machine 220, which can be sandboxed (e.g., no network access toprevent the spread of malware to other parts of a network). A snapshotis then mounted at operation 904, e.g., with Rubrik's LIVEMOUNT. Thesnapshot may be part of a snapshot chain and accordingly, a most recentsnapshot may be mounted or a specific snapshot selected for mounting.Data within the snapshot is then hydrated with the hydrator 504 atoperation 906. The detector 508 then searches the mounted hydratedsnapshot for malware at operation 908. Searching can include applyingYARA rules 510 and/or looking for matching hashes 512 (e.g., MD5, SHA1,and/or SHA256) and/or looking for specific file names (e.g., by name,such as ABAP/Rivpas.c.intd, and/or by path prefix) and/or path matches.The YARA rules 510 and/or hashes 512 may be imported (e.g., if new YARArules 510 or hashes 512 are created) and the detector 508 can search formalware 908 using all or a subset of the YARA rules 510 and/or hashes512.

For example, given a set of Indicators of Compromise encoded as YARArules in a CISA alert (such as Alert (AA20-302A) Ransomware ActivityTargeting the Healthcare and Public Health Sector), the detector 508 mayidentify any snapshots, file paths, or both, where those indicators werefound. Or, given a set of suspicious file hashes or file paths (such asfrom Microsoft's Hafnium IOC list), the detector 508 may identify thosesnapshots, file paths, or both as well.

Further, the detector 508 may restrict a search to a specific snapshotsor range of snapshots, a subset of files/directories and/or scan areplica of a snapshot instead an original snapshot. Restricting thesearch can include specific subsets of files or directories; file sizelimits, file creation/modification timestamps (e.g., before, afterbetween timestamp(s)); file ownership; and files added/modified in acurrent snapshot (i.e., files that were not in prior snapshot ormodified since that snapshot).

If, at operation 910, malware is detected, then a next most recentsnapshot in the snapshot chain is mounted and the process is repeateduntil no malware is detected at operation 910. Further, in case of falsenegatives, additional snapshots in the chain can be scanned after nomalware is detected in operation 910. Alternatively, the mounting 904through the detecting 910 can start with an oldest or base snapshot andassuming no malware was detected in the base snapshot, repeating theprocess until malware is detected. Further, once malware is detected ina snapshot, the remainder of the snapshot optionally does not need to bescanned and the next snapshot in the snapshot chain can be searched formalware.

Further, the mounting 904 through the detecting 910 can be repeated forall objects of a system including virtual machines, file systems,databases, network attached storage, etc. When malware is detected,metadata in the snapshot can be adjusted to indicate quarantine status.For example, quarantine-related metadata for the infected snapshots(e.g., quarantine status metadata, among other quarantine-relatedmetadata) may be updated for the infected snapshot.

At operation 912, the GUI 524 generates an interface, such as theexample interface 700. For each object, the example interface 700 canshow snapshots over time with a status (e.g., color coded) of eachsnapshot (infected, not infected, encrypted, infected and partiallyencrypted). The example interface 700 may also illustrate a cut pointabove which snapshots are quarantined (e.g., not recoverable, recoverynot permitted, recoverable with sufficient user privileges, partiallyrecoverable, etc.). The GUI 524 may display object(s) scanned (VM,Host/Share/fileset, etc.); snapshot(s) scanned; Date/time of scan; scanfilter criteria; Hash/Rules, etc. being scanned for (e.g., for YARARules: i. Rule name ii. Namespace iii. Tags iv. Hash of the rule, etc.);number of matched files; and number of matches; etc.

The GUI 524 may also provide detailed results after a searchincluding: 1. The file name & path where a match was found 2. The rule(hash, or YARA name, namespace and tags) that were matched 3. The timewhen this file was created 4. The time when this file was modified 5.The owner of this file a. Their fully qualified name (if retrievable) b.Any security identifier (e.g., SID for Windows, User ID for Linux/Unix)6. The MD5, SHA1, and SHA256 hashes of this file, etc.

The GUI 524 then receives a command from a user to recover an infectedsnapshot at operation 914. The privilege determinator 518 thendetermines at operation 916 if the user has sufficient privileges torecover an infected snapshot based on the user privileges 520, whichlists recovery privileges for users for infected snapshots and files. Ifthe user has insufficient privileges, the recoverer 516 will not recoverthe infected snapshot and the method 900 ends. Otherwise, if the userhas sufficient privileges at operation 916 then the recoverer 516 willrecover (e.g., mount, restore, examine, read, etc.) the selectedinfected snapshot at operation 918. Optionally, the selected snapshotcan be recovered to a sandboxed virtual machine. The method 900 thenends.

In an embodiment the method 900 may further comprise propagating thequarantine status to other infected snapshots (e.g., replicas ofinfected snapshots). Quarantine status may be indicated in metadata of asnapshot (e.g., via setting a bit) and the related snapshots can bemarked similarly by looking up a record of snapshots and replicas andthen marking metadata of the related (e.g., replica) snapshot.

FIG. 10 depicts a flowchart illustrating a method 1000 of recoveringnon-infected content within an infected snapshot according to an exampleembodiment. In an example embodiment, the storage appliance 300 canexecute the method 1000 using the malware engine 502. Example methodsdescribed herein may also be implemented in the form of executableinstructions stored on a machine-readable medium or in the form ofelectronic circuitry. For instance, the operations of the method 1000may be represented by executable instructions that, when executed by aprocessor of a computing device, cause the computing device to performthe method 1000. Depending on the embodiment, an operation of an examplemethod described herein may be repeated in different ways or involveintervening operations not shown. Though the operations of examplemethods may be depicted and described in a certain order, the order inwhich the operations are performed may vary among embodiments, includingperforming certain operations in parallel.

At operation 1002, the hypervisor 208 generates a virtual machine, e.g.,virtual machine 220, which can be sandboxed (e.g., no network access toprevent the spread of malware to other parts of a network). A snapshotis then mounted at operation 1004, e.g., with Rubrik's LIVEMOUNT. Thesnapshot may be part of a snapshot chain and accordingly, a most recentsnapshot may be mounted or a specific snapshot selected for mounting.Data within the snapshot is then hydrated with the hydrator 504 atoperation 1006, which can include deduplicating data. The detector 508then searches the mounted hydrated snapshot for malware at operation1008. Searching can include applying YARA rules 510 and/or looking formatching hashes 512 (e.g., MD5, SHA1, and/or SHA256) and/or looking forspecific file names (e.g., by name, such as ABAP/Rivpas.c.intd, and/orby path prefix) and/or path matches. The YARA rules 510 and/or hashes512 may be imported (e.g., if new YARA rules 510 or hashes 512 arecreated) and the detector 508 can search for malware 1008 using all or asubset of the YARA rules 510 and/or hashes 512.

For example, given a set of Indicators of Compromise encoded as YARArules in a CISA alert (such as Alert (AA20-302A) Ransomware ActivityTargeting the Healthcare and Public Health Sector), the detector 508 mayidentify any snapshots, file paths, or both, where those indicators werefound. Or, given a set of suspicious file hashes or file paths (such asfrom Microsoft's Hafnium IOC list), the detector 508 may identify thosesnapshots, file paths, or both as well.

Further, the detector 508 may restrict a search to a specific snapshotsor range of snapshots, a subset of files/directories and/or scan areplica of a snapshot instead an original snapshot. Restricting thesearch can include specific subsets of files or directories; file sizelimits, file creation/modification timestamps (e.g., before, afterbetween timestamp(s)); file ownership; and files added/modified in acurrent snapshot (i.e., files that were not in prior snapshot ormodified since that snapshot).

If, at operation 1010, malware is detected, then a next most recentsnapshot in the snapshot chain is mounted and the process is repeateduntil no malware is detected at operation 1010. Further, in case offalse negatives, additional snapshots in the chain can be scanned afterno malware is detected in operation 1010. Alternatively, the mounting1004 through the detecting 1010 can start with an oldest or basesnapshot and assuming no malware was detected in the base snapshot,repeating the process until malware is detected.

Further, the mounting 1004 through the detecting 1010 can be repeatedfor all objects of a system including virtual machines, file systems,databases, network attached storage, etc. When malware is detected,metadata in the snapshot can be adjusted to indicate quarantine status.For example, quarantine-related metadata for the infected snapshots(e.g., quarantine status metadata, among other quarantine-relatedmetadata) may be updated for the infected snapshot.

At operation 1012, the GUI 524 generates an interface, such as theexample interface 700. For each object, the example interface 700 canshow snapshots over time with a status (e.g., color coded) of eachsnapshot (infected, not infected, encrypted, infected and partiallyencrypted). The example interface 700 may also illustrate a cut pointabove which snapshots are quarantined (e.g., not recoverable, recoverynot permitted, recoverable with sufficient user privileges, partiallyrecoverable, etc.). The GUI 524 may display object(s) scanned (VM,Host/Share/fileset, etc.); snapshot(s) scanned; Date/time of scan; scanfilter criteria; Hash/Rules, etc. being scanned for (e.g., for YARARules: i. Rule name ii. Namespace iii. Tags iv. Hash of the rule, etc.);number of matched files; and number of matches; etc.

The GUI 524 may also provide detailed results after a searchincluding: 1. The file name & path where a match was found 2. The rule(hash, or YARA name, namespace and tags) that were matched 3. The timewhen this file was created 4. The time when this file was modified 5.The owner of this file a. Their fully qualified name (if retrievable) b.Any security identifier (e.g., SID for Windows, User ID for Linux/Unix)6. The MD5, SHA1, and SHA256 hashes of this file, etc.

At operation 1014, the most recent non-infected snapshot is recovered(e.g., mounted, restored, etc.). Then, non-infected content related tothe recovered snapshot is identified in more recent infected snapshotsbased on the prior searching 1008 at operation 1016. Then content (e.g.,files) from the non-infected snapshot selected by a user can berecovered in the more recent snapshots using forward incrementalrecovery until an infected or encrypted content is reached correspondingto the selected content. Alternatively, all content can be restoredusing forward incremental recovery for each content until infected orencrypted content is reached. In this way, the most recent non-infectedcontent available is recovered even if some of the snapshots holdingrelevant content are infected.

For example, for a selected content including a file in a non-infectedsnapshot, that file can first be recovered in the most recentnon-infected snapshot, then starting with the next (infected) snapshotin the snapshot chain, the next incremental file can be recovered, andrepeated until infected or encrypted content is reached. Alternatively,as the snapshots have already been searched for malware at 1008, themost recent infected snapshot with the selected file can be identifiedand the selected file recovered from that infected snapshot. In effect,while the example interface 700 shows a cut point at the snapshot level,there may be a cut point further up in the snapshot chain on a finergrained level (e.g., content level). The method 1000 then ends.

The following set of examples describe various embodiments of methods,computer-readable media, and systems (e.g., machines, devices, or otherapparatus) discussed herein.

A method is described. The method may include identifying a most recentsnapshot in a snapshot chain that is not infected by malware, whereinsaid identifying comprises mounting snapshots in the snapshot chain anddetermining whether said snapshots are infected by malware; receiving aselection, from a user, of an infected snapshot, the infected snapshotbeing more recent than the identified most recent snapshot; mounting theselected infected snapshot; determining which content in the selectedinfected snapshot are not infected; and recovering at least one of thenon-infected content.

An apparatus is described. The apparatus may include a processor, memorycoupled with the processor, and instructions stored in the memory. Theinstructions may be executable by the processor to cause the apparatusto identify a most recent snapshot in a snapshot chain that is notinfected by malware, wherein said identifying comprises mountingsnapshots in the snapshot chain and determining whether said snapshotsare infected by malware; receive a selection, from a user, of aninfected snapshot, the infected snapshot being more recent than theidentified most recent snapshot; mounting the selected infectedsnapshot; determine which content in the selected infected snapshot arenot infected; and recover at least one of the non-infected content.

Another apparatus is described. The apparatus may include means foridentifying a most recent snapshot in a snapshot chain that is notinfected by malware, wherein said identifying comprises mountingsnapshots in the snapshot chain and determining whether said snapshotsare infected by malware; receiving a selection, from a user, of aninfected snapshot, the infected snapshot being more recent than theidentified most recent snapshot; mounting the selected infectedsnapshot; determining which content in the selected infected snapshotare not infected; and recovering at least one of the non-infectedcontent.

A non-transitory computer-readable medium storing code is described. Thecode may include instructions executable by a processor to identify amost recent snapshot in a snapshot chain that is not infected bymalware, wherein said identifying comprises mounting snapshots in thesnapshot chain and determining whether said snapshots are infected bymalware; receive a selection, from a user, of an infected snapshot, theinfected snapshot being more recent than the identified most recentsnapshot; mounting the selected infected snapshot; determine whichcontent in the selected infected snapshot are not infected; and recoverat least one of the non-infected content.

In some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein, the identifying comprisesmounting the snapshots in the snapshot chain in reverse chronologicalorder.

In some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein, the mounting and thedetermining is repeated until a non-infected snapshot in the snapshotchain is identified.

In some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein, the mounting and thedetermining is repeated past a non-infected snapshot in the snapshotchain is identified.

Some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein may further includeoperations, features, means, or instructions for repeating theidentifying for all objects in a system.

In some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein, the determining comprisesapplying YARA rules and hash matching to the mounted snapshot.

In some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein, the mounting mounts snapshotsin a sandboxed virtual machine.

Some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein may further includeoperations, features, means, or instructions for hydrating data in amounted snapshot before the determining.

Some examples of the method, apparatuses, and non-transitorycomputer-readable medium described herein may further includeoperations, features, means, or instructions for displaying a graphicaluser interface showing individual snapshots in the snapshot chain,wherein a representation of a snapshot indicates whether said snapshotis infected with malware and displaying on the graphical user interfacea cut point between infected and non-infected snapshots in the snapshotchain, wherein only non-infected content in the infected snapshots abovethe cut point can be recovered.

The terms “machine-readable medium,” “computer-readable medium” and“device-readable medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms are defined to includeboth machine-storage media and transmission media. Thus, the termsinclude both storage devices/media and carrier waves/modulated datasignals.

Although examples have been described with reference to specific exampleembodiments or methods, it will be evident that various modificationsand changes may be made to these embodiments without departing from thebroader scope of the embodiments. Accordingly, the specification anddrawings are to be regarded in an illustrative rather than a restrictivesense. The accompanying drawings that form a part hereof, show by way ofillustration, and not of limitation, specific embodiments in which thesubject matter may be practiced. The embodiments illustrated aredescribed in sufficient detail to enable those skilled in the art topractice the teachings disclosed herein. Other embodiments may beutilized and derived therefrom, such that structural and logicalsubstitutions and changes may be made without departing from the scopeof this disclosure. This detailed description, therefore, is not to betaken in a limiting sense, and the scope of various embodiments isdefined only by the appended claims, along with the full range ofequivalents to which such claims are entitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the above description.

What is claimed is:
 1. A method, comprising: identifying a most recentsnapshot in a snapshot chain that is not infected by malware, whereinthe identifying comprises mounting snapshots in the snapshot chain anddetermining whether the snapshots are infected by malware; receiving aselection, from a user, of an infected snapshot, the infected snapshotbeing more recent than the identified most recent snapshot; mounting theselected infected snapshot; determining which content in the selectedinfected snapshot are not infected; and recovering at least one of thenon-infected content.
 2. The method of claim 1, where the identifyingcomprises: mounting the snapshots in the snapshot chain in reversechronological order.
 3. The method of claim 2, where the mounting andthe determining is repeated until a non-infected snapshot in thesnapshot chain is identified.
 4. The method of claim 2, wherein themounting and the determining is repeated past a non-infected snapshot inthe snapshot chain is identified.
 5. The method of claim 1, furthercomprising: repeating the identifying for all objects in a system. 6.The method of claim 1, wherein the determining comprises: applying YARArules and hash matching to the mounted snapshot.
 7. The method of claim1, wherein the snapshots are mounted in a sandboxed virtual machine. 8.The method of claim 1, further comprising: hydrating data in a mountedsnapshot before the determining.
 9. The method of claim 1, furthercomprising: displaying a graphical user interface showing individualsnapshots in the snapshot chain, wherein a representation of a snapshotindicates whether the snapshot is infected with malware; and displayingon the graphical user interface a cut point between infected andnon-infected snapshots in the snapshot chain, wherein only non-infectedcontent in the infected snapshots above the cut point can be recovered.10. An apparatus, comprising: a processor; and a memory storinginstructions that, when executed by the processor, cause the apparatusto: identify a most recent snapshot in a snapshot chain that is notinfected by malware, wherein the identifying comprises mountingsnapshots in the snapshot chain and determining whether the snapshotsare infected by malware; receive a selection, from a user, of aninfected snapshot, the infected snapshot being more recent than theidentified most recent snapshot; mount the selected infected snapshot;determine which content in the selected infected snapshot are notinfected; and recover at least one of the non-infected content.
 11. Theapparatus of claim 10, wherein, to identify the most recent snapshot,the instructions are further executable by the processor to cause theapparatus to: mount the snapshots in the snapshot chain in reversechronological order.
 12. The apparatus of claim 11, wherein theinstructions are further executable by the processor to cause theapparatus to: repeat the mounting and the determining until anon-infected snapshot in the snapshot chain is identified.
 13. Theapparatus of claim 11, wherein the instructions are further executableby the processor to cause the apparatus to: repeat the mounting and thedetermining past a non-infected snapshot in the snapshot chain isidentified.
 14. The apparatus of claim 10, wherein the instructions arefurther executable by the processor to cause the apparatus to: repeatthe identifying for all objects in a system.
 15. The apparatus of claim10, wherein, to determine whether the snapshots are infected by themalware, the instructions are further executable by the processor tocause the apparatus to: apply YARA rules and hash matching to themounted snapshot.
 16. The apparatus of claim 10, wherein the snapshotsare mounted in a sandboxed virtual machine.
 17. The apparatus of claim10, wherein the instructions are further executable by the processor tocause the apparatus to: hydrate data in a mounted snapshot before thedetermining.
 18. The apparatus of claim 10, wherein the instructions arefurther executable by the processor to cause the apparatus to: display agraphical user interface showing individual snapshots in the snapshotchain, wherein a representation of a snapshot indicates whether thesnapshot is infected with malware; and display on the graphical userinterface a cut point between infected and non-infected snapshots in thesnapshot chain, wherein only non-infected content in the infectedsnapshots above the cut point can be recovered.
 19. The apparatus ofclaim 10, wherein the instructions are further executable by theprocessor to cause the apparatus to: quarantine snapshots determined tobe infected so that the infected snapshots cannot be recovered.
 20. Anon-transitory, computer-readable medium storing code comprisinginstructions executable by a processor of a device to cause the deviceto: identify a most recent snapshot in a snapshot chain that is notinfected by malware, wherein the identifying comprises mountingsnapshots in the snapshot chain and determining whether the snapshotsare infected by malware; receive a selection, from a user, of aninfected snapshot, the infected snapshot being more recent than theidentified most recent snapshot; mount the selected infected snapshot;determine which content in the selected infected snapshot are notinfected; and recover at least one of the non-infected content.